[ISN] REVIEW: "Computer Security: Art and Science", Matt Bishop

From: InfoSec News (isnat_private)
Date: Thu Feb 13 2003 - 23:26:08 PST

  • Next message: InfoSec News: "[ISN] FBI Issues Cyberattack Advisory"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKCMSCAS.RVW   20030122
    "Computer Security: Art and Science", Matt Bishop, 2003,
    0-201-44099-7, U$74.99/C$116.99
    %A   Matt Bishop bishopat_private nob.cs.ucdavis.edu/~bishop/
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
    %D   2003
    %G   0-201-44099-7
    %I   Addison-Wesley Publishing Co.
    %O   U$74.99/C$116.99 416-447-5101 fax: 416-443-0948 bkexpressat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0201440997/robsladesinterne
    %P   1084 p.
    %T   "Computer Security: Art and Science"
    First off, the book is very academic: heavy on formal methods, formal
    models, and symbolic logic, while it's rather light on explanation. 
    In addition, though, the preface says that the goal of the book is to
    make certain points.  The first is to prove that theory is relevant to
    practice.  I would agree, but the initial example used to illustrate
    this is less than convincing.  In addition, as the book progresses, it
    is easy to see where Bishop tries to prove this element--and extremely
    difficult to see where he supports the thesis.  Second, he wants to
    say that cryptography is not the same as security (I would have
    thought that was self evident to anyone with the slightest experience
    in the field, and Bruce Schneier made that point in "Secrets and Lies"
    [cf. BKSECLIE.RVW]).  Third is that security is an art as well as a
    science.  I am in sympathy with this last assertion, but it is
    somewhat at odds with other aspects of the work.  For example,
    "assurance" is seen as a major factor in the volume, and the
    introduction to the topic appears to prove that assurance relies upon
    a strict adherence to the scientific aspect of security.
    Part one is an introduction to security.  Chapter one is an overview
    of security concepts.  It is written with an apparent authority that
    masks a number of gaps and the fact that there is a compilation of
    concepts and terms with little analysis.  For example, the seeming
    attempt to relate the basic security requirements of confidentiality,
    availability, and integrity (the famous "CIA" triad) to Robert
    Shirey's proposed classes of threats may confuse some readers, partly
    because the CIA is three to Shirey's basic four, and also because it
    may not be clear how the Shirey taxonomy relates to errors.  The
    examples given in the book are overly detailed, and therefore it is
    confusing to try and extract the main point of an illustration.  There
    are questions at the end of the chapter.  They are not the simplistic
    reading checks of all too many books, but Bishop goes too far in the
    other direction.  The questions are unstructured and open-ended,
    admitting of no particular answer.  They may be useful for the teacher
    trying to prompt discussion, but students will find them vague and
    probably irrelevant.
    Part two is entitled "Foundations."  It is possible to get a vague
    idea of why Bishop thinks this is so, but the material is hardly
    compelling.  Chapter two takes an, again, overly formal and
    underexplained, look at the access control matrix.  Rather ironically,
    in the midst of this blizzard of symbolic logic, the author tries to
    promote the simplicity and practicality of the model.  The tutorial
    material almost completely vanishes under the avalanche of set theory
    proofs in chapter three, as Bishop tries to pull foundational results
    out of the Harrison-Ruzzo-Ullman work, and others.
    Part three looks at policy, but not in the sense that most
    professionals would think of it.  Chapter four defines security
    policies strictly in terms of allowed states, although it does later
    discuss the more widely recognized management policies.  In fact we
    are presented with a large number of rather questionable definitions,
    such as military policy (equivalent to confidentiality, apparently)
    and identity-based access control (IBAC, which Bishop says is the same
    as discretionary access control, a very questionable equation).  We
    are, however, given a respite from symbolic logic for a while.  There
    is an attempt to relate the Bell-LaPadula model, as an example of
    confidentiality policy, to the Data General B2 UNIX and Multics, in
    chapter five.  Biba and Clark-Wilson are, of course, the integrity
    policies reviewed in chapter six.  Chapter seven, though, tries to
    express Chinese Wall and medical information systems as formal "hybrid
    policies," and doesn't do very well.  Non-interference and policy
    composition, in chapter eight, endeavours to address covert channels,
    but doesn't say anything very clearly.
    Part four looks at cryptography, but in a rather disorganized manner. 
    Chapter nine outlines the basics of cryptography, and does a
    surprisingly good job of discussing substitution and transposition
    ciphers, along with a variety of frequency analysis attacks to beat
    them, then gives examples of the fundamental asymmetric algorithms,
    and ends with cryptographic checksums.  The rudimentary requirements
    of key management are described in chapter ten, which also introduces
    digital signatures.  Chapter eleven seems to be an attempt to discuss
    design requirements for "real" (rather than theoretical)
    cryptosystems.  Authentication, in chapter twelve, deals with
    passwords, challenge/response systems, and biometrics, and only
    touches on cryptography in passing.
    Part five talks about systems, but repeats a lot of earlier material. 
    Chapter thirteen is a good list of design principles, although not all
    of them are explained well.  A variety of entities that need to have
    their identity represented are listed in chapter fourteen, which also
    discusses certificates, following some of the content from the
    cryptographic section.  Chapter fifteen deals with access control
    mechanisms, expanding on chapter two.  The topic of information flow,
    in chapter sixteen, starts out with a repeat of part three, and then
    tries to address topics related to systems development.  Chapter
    seventeen, on the confinement problem, is mostly a repeat, and
    expansion, of the covert channel discussion from chapter five.
    Part six, on assurance, is written by Elizabeth Sullivan, and is an
    altogether different book.  Chapter eighteen, the introduction, covers
    what assurance is and why it is needed, and is excellent.  Building
    systems with assurance, in chapter nineteen, describes architectural
    and procedural factors in security design.  Formal methods, and a
    number of examples of tools for formal methods, are reviewed in
    chapter twenty.  Chapter twenty one, on evaluating systems, provides a
    terrific overview of TCSEC (Trusted Computer System Evaluation
    Criteria), ITSEC (Information Technology Security Evaluation
    Criteria), FIPS-140, and the Common Criteria (and one could only wish
    she had covered British Standard 7799 or ISO 17799 as well).
    Part seven deals with special topics.  Chapter twenty two, on
    malicious logic, shows that while Bishop has read some of the good
    books on viruses, he has also read some very questionable material as
    well, and passes along some of the persistent myths.  Cohen's proof of
    "undecideability" in virus determination (section 22.6) is not well
    explained for those not completely familiar with both symbolic logic
    and Turing machines.  Therefore, the relevance of the proof to
    practical security is not clear, since is seems to address only
    appending or prepending viruses, which are difficult concepts to use
    in regard to modern email viruses.  Vulnerability analysis, in chapter
    twenty three, flips back and forth between efforts to describe
    academic work in relation to penetration testing, and telling stories
    about exploits.  In chapter twenty four, supposedly on auditing, it is
    quite apparent that Bishop simply cannot wait to discuss intrusion
    detection systems, which actually aren't due until chapter twenty
    Part eight, "Practicum," purports to use the earlier material in
    practical settings.  Chapters twenty six to twenty nine relate points
    from earlier chapters to a fictitious company in terms of network,
    system, user, and program security.
    Part nine, entitled "End Matter," contains essays or appendices on
    lattices (the mathematical ones, not the security access lattices),
    the extended Euclidean algorithm, entropy, virtual machines, symbolic
    logic, and a sample academic security policy.  None are terribly
    One extremely odd aspect of the book is that figures are given in the
    same font as the text, and are not distinguished in any way, so having
    figures and text on the same page can make it very confusing to
    separate the two.
    Having cavilled my way through the entire book, I do have to admit
    that there is a good deal of solid security material contained within
    the pages.  In the hands of a really competent teacher, this volume
    could be used to teach a fairly theoretical course in many aspects of
    security.  I'm not sure that I'd want to inflict it on any students in
    any course I'd be likely to teach, no matter how annoyed I got with
    them.  The overriding problem is to extract the decent content, and
    organize it in a reasonable fashion.  Bishop does not, in the end,
    seem to provide much evidence for his assertion that theory is
    relevant to practice.  As far as security being an art is concerned,
    he makes it out to be a very arcane one.
    I could not, in good conscience, recommend this as the sole text for
    any course.  And I'd be hard pressed to recommend it as reference
    material for anyone else.
    copyright, Robert M. Slade, 2003   BKCMSCAS.RVW   20030122
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 01:48:55 PST